Securing WordPress from the Start

WordPress security is an important element of owning a WordPress site and something you need to consider when creating a new WordPress site. In this post, we cover a few methods for securing WordPress from the start, and additional steps you can take to keep your existing WordPress site secure.

Secure WordPress by Installing WordPress Manually

Many hosting companies offer a one-click installation option for WordPress site. Although using a one-click install can make the process simpler and a little quicker, for the purposes of securing WordPress, it’s usually best to install WordPress manually.

1. Create a New Database

If you haven’t already done so, you will need to create a database for your WordPress site. You can create a new database through your host’s cPanel or dashboard, using the MySQL database wizard.  Each host typically has its own setup, but usually allows you to create your database user, password and database all on one screen.

For example, here’s a screenshot of setting up a new database using the MySQL Database wizard.

Just be sure when you create your password for your database user that you create a strong password.  Most hosts will provide you with the option to generate a password.

2. Download the WordPress Software

To get started with the WordPress installation, you can download the WordPress software from WordPress.org.

3. Change WordPress Salts & Security Keys

Once you’ve downloaded WordPress, unzip the file you downloaded and find the wp-config-sample.php file. Open it using a text editor. In this file, you’ll enter all of your new database credentials.

This is also where you will be able to change your WordPress Salts and Security Keys.

Changing your WordPress salts and keys is very important for securing WordPress.

WordPress salts and keys help to encrypt the login information stored in cookies. Basically, WordPress salts and keys act as additional passwords to protect your site.

Whereas a simple password like “password,” “test,” etc. are easy to break, these unique strings would take an extended amount of time to break, even a year or more.

4. Change the Default WordPress Database Table Prefix

While still editing your wp-config-sample.php file, you will also want to change your database table prefix.

By default, the prefix for your WordPress database tables is wp_.  Most quick- install options offered by hosts don’t change this prefix for you and many people know that this is the default prefix.

You’ll want to change the wp_ to a prefix of your own choosing. This can be whatever you like, it just should be followed by an underscore:

Once you’ve made these changes to the file, save it as wp-config.php.

5. Upload Files to Your Server

Either through FTP or your cPanel, upload all of the WordPress files, including your new wp-config.php file to the corresponding directory of your new WordPress site.

6. Create a Unique Admin Username and Strong Password

When the upload has completed, navigate to your site’s domain name.  This will take you to a screen where you can add details about your site and create a username and password.

You’ll see this screen.

Again, you’ll want to make sure the password you create is a strong password; something that would be difficult for someone else to get.

You also want to make sure that the username you create is unique. Using admin as a username is highly discouraged as it makes it simple for someone to guess the username.

WordPress now automatically creates a strong password for you to use.

More Steps for Securing WordPress

These steps cover how to secure WordPress from the start,but there are more steps you can take to secure your site once it is up and running. Taking these further WordPress security steps will help keep your new website secure.

Install a WordPress Security Plugin

For instance, you can install a WordPress security plugin such as iThemes Security to help harden WordPress and help with WordPress security tasks.

Enable Two-Factor Authentication

Using WordPress two-factor authentication is one of the best ways to secure and existing WordPress site.

WordPress Two Factor Authentication adds an important extra layer of protection to your WordPress site’s login and admin area by requiring 1) a password and 2) a secondary time-sensitive code to login.

While it may seem like a hassle at first, using two-factor authentication greatly reduces the risk of WordPress brute force attacks and helps to make sure your admin login credentials are only used by you.

Activate WordPress Brute Force Protection

With the iThemes Security plugin, you can add WordPress Brute Force Protection. WordPress Brute force attacks occur when someone (or a bot) repeatedly tries multiple username and password combinations until they are able to gain access to your site. By default, there is no option in WordPress to block a user or an IP address after a set number of login attempts. Users can try as many times as needed until they get logged in.

The WordPress Brute Force Protection setting in iThemes Security allows you to determine how many attempts specific hosts and users are given before they are blocked and how long they are banned from accessing the site. You can also automatically block any user who attempts to log in using the admin username.

Lock Down WordPress with Away Mode

Another feature to help with securing WordPress is the Away Mode feature in the iThemes Security plugin.

It’s unlikely that you are working on your WorPress website 24 hours a day. Most likely, there is a certain time period you typically work in.  Maybe you’re a freelancer who works another job during the day and works on your site in the evenings.

The Away Mode setting allows you to lock down WordPress by limiting access to the WordPress dashboard so that it is only accessible during a specified interval. This means that no one, no matter their intentions, can log into the backend of your site during that set time period.

The Importance of WordPress Backups

Another important component of your WordPress Security strategy to consider is using a WordPress backup plugin, like BackupBuddy. Plugins such as BackupBuddy are vitally important for those times when, despite your best efforts, your site is hacked.

Enable WordPress Backup Schedules

With BackupBuddy, you can create backup schedules, both of the full site and just your WordPress database. This means that if your site is hacked, you will be able to restore your site to a state before the hack.

You can set automatic WordPress backup schedules to whatever intervals you prefer, but we recommend creating a backup schedule that creates a full site backup monthly and a database backup weekly.

If your site is more active and you are constantly adding new content, a weekly full site backup and a daily database backup might be a better schedule for you. You can also you Stash Live, a feature in BackupBuddy 7.0+, for automatic WordPress backups.

Store WordPress Backups Securely Offsite

When you create your schedules, you also have the option of sending your backup files to an offsite location.

Storing your backups offsite is an excellent security measure in case it is your server, not just your site, that is hacked.  If your backup files are stored in an offsite destination such as BackupBuddy Stash or Google Drive, even if your server is attacked or goes down, you will have access to a backup file that you can restore your site with.

More Tips on Securing WordPress

WordPress security can be overwhelming, but there are simple, actionable steps you can take to start using WordPress security best practices. Check out more WordPress security tips in our free ebook: WordPress Security: A Pocket Guide.

Download the ebook